kube-ops-view icon indicating copy to clipboard operation
kube-ops-view copied to clipboard

Published 20 hours ago verified publisher icon hjacobs

Oauth (google auth) crashes kube-ops-view

Open iMartyn opened this issue 6 years ago • 3 comments

As the title suggests, if you auth with a cluster by oauth token from GApps, the users.user.auth-provider.config.id-token is a JWT auth token, but kube-ops-view attempts to use b64decode on it. This fails with an error like

Traceback (most recent call last):
  File "/kube_ops_view/update.py", line 42, in update_clusters
    for cluster in clusters:
  File "/kube_ops_view/cluster_discovery.py", line 146, in get_clusters
    kubernetes.config.load_kube_config(config_file, context=context['name'], client_configuration=config)
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 476, in load_kube_config
    loader.load_and_set(client_configuration)
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 354, in load_and_set
    self._load_authentication()
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 185, in _load_authentication
    if self._load_oid_token():
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 236, in _load_oid_token
    base64.b64decode(parts[1]).decode('utf-8')
  File "/usr/lib/python3.6/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

Which is understandable because JWT is multiple b64 strings concatenated with ., - and _ characters.

Obviously my cluster is accessible with kubectl but this completely breaks kube-ops-view's loading for all the clusters listed in my config.

If k-o-v must decode the values manually, can it at least not crash on this kind of expectation so that the other clusters in my config can be monitored.

iMartyn avatar Aug 20 '18 16:08 iMartyn

Interesting case, the exception comes from the official Python Kubernetes client. Can you paste instructions on how to reproduce and some sanitized (with sensitive credentials replaced) ~/.kube/config file?

hjacobs avatar Aug 21 '18 06:08 hjacobs

Sure, I'll grab them shortly. I was going to add them to the original report but didn't have time to sanitize.

iMartyn avatar Aug 21 '18 11:08 iMartyn

fyi, looks like there's an upstream fix https://github.com/kubernetes-client/python-base/pull/70 - Unfortunately when I generate a JWT token with sanitised data it works (because padding). Would be really nice if kube-ops-view would handle the exception better though. I managed to make a config with my real auth that loads (doesn't crash) with kube-ops-view but it doesn't actually auth, and it will not work with kubectl (which does JWT properly)

iMartyn avatar Aug 21 '18 12:08 iMartyn